Comment on page
Change the FQDN of the RPort server
Learn how to use your own name instead of the random *.user.rport.io hostname
If you want to change the FQDN of a RPort server installed via the cloud-installer the first step is to create a DNS A Record that points to the IP address of your virtual machine.
🧨 Do not use a CNAME record pointing to the *.users.rport.io FQDN.
Always use an A-record.
The free DNS service of RPort will delete unused hostnames automatically, and your CNAME-record would become orphaned.
We will use
rport-server.example.com
as an example for the new hostname of your RPort server.Login to the console of your rport-server using SSH and verify the new DNS record has been set up properly. Execute the following two commands. Both must print the same IP address – the IP address of your RPort server.
# Query the DNS
$ dig +short rport-server.example.com
51.15.51.42
# Fetch your external IP address
$ wget -qO - 'https://api.ipify.org?format=text'
51.15.51.42
If you already have certificates for the new FQDN, you can skip this step.
Stop the RPort server first. To generate new free certificates via Let's Encrypt, execute the following commands.
systemctl stop rportd
FQDN=rport-server.example.com
# Generate
certbot certonly -d $FQDN -n \
--agree-tos --standalone \
--register-unsafely-without-email
# Change group ownerships so rport can read the files
chgrp rport /etc/letsencrypt/archive/
chmod g+rx /etc/letsencrypt/archive/
chgrp rport /etc/letsencrypt/live/
chmod g+rx /etc/letsencrypt/live/
chgrp rport /etc/letsencrypt/archive/$FQDN/
chmod g+rx /etc/letsencrypt/archive/$FQDN/
chgrp rport /etc/letsencrypt/archive/$FQDN/privkey1.pem
chmod g+rx /etc/letsencrypt/archive/$FQDN/privkey1.pem
chgrp rport /etc/letsencrypt/live/$FQDN/
ls -l /etc/letsencrypt/live/$FQDN/
With the new certificates generated, or with your own certificates, open the configuration file
/etc/rport/rportd.conf
with an editor. Scroll down to the lines where certificates are configured. Certificates are registered twice. In the [server]
and [api]
section. Change it as shown.Before (with random *users.rport.io FQDN)
# in the [server] section
tunnel_proxy_cert_file = "/etc/letsencrypt/live/14apzztqs96l.users.rport.io/fullchain.pem"
tunnel_proxy_key_file = "/etc/letsencrypt/live/14apzztqs96l.users.rport.io/privkey.pem"
# in the [api] section
cert_file = "/etc/letsencrypt/live/14apzztqs96l.users.rport.io/fullchain.pem"
key_file = "/etc/letsencrypt/live/14apzztqs96l.users.rport.io/privkey.pem"
After (example with your FQDN)
# in the [server] section
tunnel_proxy_cert_file = "/etc/letsencrypt/live/rport-server.example.com/fullchain.pem"
tunnel_proxy_key_file = "/etc/letsencrypt/live/rport-server.example.com/privkey.pem"
# in the [api] section
cert_file = "/etc/letsencrypt/live/rport-server.example.com/fullchain.pem"
key_file = "/etc/letsencrypt/live/rport-server.example.com/privkey.pem"

Change the path to the new certificates.
The
rportd.conf
file contains a setting url =
, that indicates clients who is their server. You must change this setting to the new hostname. If the client url contains a hostname, you must change it. If it contains an IP address, no changes are needed.Before (with random *users.rport.io FQDN)
url = "http://dtdu7j7pvaxv.users.rport.io:80"
After (example with your FQDN)
url = "rport-server.example.com"
If you client url consist of a hostname you must change this hostname on all clients too in the
rport.conf
client configuration file.If your rport server runs behind a reverse proxy, can be your own or a service like CloudFlare, pay attention to the
tunnel_host setting
. Usually, you must specify an alternative hostname that points directly to your rport server, bypassing all reverse proxies.If your RPort server is using the default script to send two-factor tokens via email, you must enter the new URL of your server in
/usr/local/bin/2fa-sender.sh
too.Open the script with an editor and enter the URL of your RPort server.
Before:
-F url=https://*.users.rport.io 2>&1)
After (example with your FQDN):
-F url=https://rport-server.example.com 2>&1)
Wildcards are not supported for custom domain names.
Also consider changing the
totp_account_name
. When using TOTP as the second login factor, this field is filled. If you chose the FQDN of the server as the value for this field, this value should be changed in line with the new FQDN.Finally, start the rport server again with
systemctl start rportd
. Type in the new https://<NEW_FQDN>
into your browser and check. 🎉Don't be frightened if clienst appear disconnected. Because the rport server has beend stopped for a while it takes some time to reconnect. But trust, they will all reconnect.
After
rportd
is running again and uses the new certificates for the new FQDN, the old certificated should be removed. Otherwise, certbot
would try to renew them too, at worst running into DNS resolution errors since the old FQDN doesn't exist any more.
A proper clean-up can be achieved by running certbot delete
and selecting the old cert via the corresponding number key.
Last modified 11mo ago